Main menu

Tor at the Heart: NetAidKit

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.Donate today!

by Menso Heus

The NetAidKit is a USB-powered router that connects to your wired or wireless network and helps you increase your privacy and beat online censorship for all your devices. Acting as a friendly man-in-the-middle, the NetAidKit is able to send all your network traffic over a VPN or Tor connection without needing to configure any of your devices. This also means that if you have specific hardware devices that are unable to run Tor, you can simple connect them to the NetAidKit to make all the traffic go over Tor anyway.

Free Press Unlimited and Radically Open Security developed the NetAidKit specifically for non-technical users, and the NetAidKit comes with an easy to use web interface that allows users to connect to Tor or upload OpenVPN configuration files and connect to VPN networks.

The NetAidKit transparently routes traffic over Tor. We believe this is a great (and free) way to circumvent censorship, but it obviously does not provide the same anonymity benefits that the Tor Browser Bundle provides. This is something we warn users about specifically every time they connect to Tor, recommending they also the Tor Browser Bundle if they wish to remain anonymous.

At the same time, by routing all traffic over Tor, NetAidKit provides a tool for users' e-mail, social media clients and other network applications to run over Tor as well, providing Tor's benefits to applications other than a browser.

The NetAidKit runs on OpenWRT and uses the OpenWRT tor client. Current challenges include getting the obfuscating protocols to work on the NetAidKit since it has a limited storage capacity. We hope that in 2017 we can improve Tor support further by collaborating with the Tor Project.

Off the top of my head, without looking at the documentation,
1. You don't need to buy a power cable, SD card, WiFi card (except Pi 3), or case
2. You don't need to consume an extra USB port for power
3. You don't need to install any OS on the SD card using another Linux machine or image writer application
4. You don't need an HDMI compatible monitor/TV or serial port to perform the initial setup (enabling SSH)
5. You don't need to install the Tor package, enable the systemd service, and edit torrc (to listen on non-loopback ports)
6. You might not need to manually updates

Although personally I would just use a Raspberry Pi if I needed a dedicated hardware device for some reason, for many people it is easier to use one of these boxes.

1. Keep a page collecting links to all the "Tor at the Heart" posts, for easy reference by pro-democracy enthusiasts who want to brag all next year to politicians about all the things Tor is doing for The People.

2. Summarize the results of the Funding Drive in pie charts as per Tails Project: where the money came from and where it is spent.

3. Ask Bruce Schneier or another expert to review the cryptographic state of the art at the layperson level (hard), with respect to technical threats and opportunities for future Tor.

I read through some of their code on github and I have to say I wasn't impressed... First thing I came across was their sshd running on a high port, which is a no-no for security. And all the actual options for hardening they could have used, they didn't implement. And then they have /usr/bin/netaidkit run with NOPASSWD sudo in their sudoers config, instead of using a service to run it as the proper user. Their password changing script hashes your password with... wait for it... MD5!

I think if we'd had more time, we would have done this blog post better. Netaidkit is a great candidate for Mike's upcoming "Tor Labs" plan, which aims to showcase projects that need more developer attention. In the mean time, for a bit more discussion about magic anonymity boxes, be sure to look at these two posts from the past:

Recent Updates

Hi! There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.3.3.2-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release some time in February.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.3.3.2-alpha is the second alpha in the 0.3.3.x series. It introduces a mechanism to handle the high loads that many relay operators have been reporting recently. It also fixes several bugs in older releases. If this new code proves reliable, we plan to backport it to older supported release series.

Changes in version 0.3.3.2-alpha - 2018-02-10

Major features (denial-of-service mitigation):

Give relays some defenses against the recent network overload. We start with three defenses (default parameters in parentheses). First: if a single client address makes too many concurrent connections (>100), hang up on further connections. Second: if a single client address makes circuits too quickly (more than 3 per second, with an allowed burst of 90) while also having too many connections open (3), refuse new create cells for the next while (1-2 hours). Third: if a client asks to establish a rendezvous point to you directly, ignore the request. These defenses can be manually controlled by new torrc options, but relays will also take guidance from consensus parameters, so there's no need to configure anything manually. Implements ticket 24902.

Major bugfixes (netflow padding):

Stop adding unneeded channel padding right after we finish flushing to a connection that has been trying to flush for many seconds. Instead, treat all partial or complete flushes as activity on the channel, which will defer the time until we need to add padding. This fix should resolve confusing and scary log messages like "Channel padding timeout scheduled 221453ms in the past." Fixes bug 22212; bugfix on 0.3.1.1-alpha.